Existing email protocols on the Internet do not validate the identity of the sender of an email. As a result, bad actors impersonate other people's identity in order to increase the likelihood of recipients opening their messages and attachments. This activity is generally referred to as “phishing” and specifically “spear phishing” when the recipient is targeted by the fake sender who is referred to as a “phisher”. By getting recipients to open these fake emails, the phishers can increase their likelihood of successfully gaining unauthorized access to confidential data, including trade secrets, state secrets, military information, and other information for a variety of motivations, especially for financial gain through fraud, identity theft and/or data theft. The senders typically target and attack multiple users at a specific organization with impersonated emails in order to gain unauthorized access to their confidential data. Once a recipient opens the fake email and sometimes the attachments, the user's computer may be infected and will be used to send out phishing emails on behalf of the phisher. Some fake emails contain links that when followed takes the user to a website, which may install malware on the recipient's computer or pose as a familiar website and ask for confidential information, such as login credentials and/or account numbers. Perpetrators may also use a compromised computer as the launch point to further penetrate the organization's computer network to access data stored on other computers, servers, and devices. Phishers may also delete and change information or even damage physical systems controlled by computers.
Existing solutions are based on checking IP address associated with the phishing email or checking the text of an email for an URL to detect whether the email is a phishing email. Further, existing solutions are not integrated into email servers and clients and therefore, are restricted to some minimal checks to detect phishing activities. These techniques seem to work only when phishers use IP addresses or URLs that are suspected to be malevolent and therefore, they are typically, not robust enough to prevent sophisticated phishing attacks.